integrated assessment record privacy, security and consent management training
TRANSCRIPT
Integrated Assessment Record
Privacy, Security and Consent Management Training
2
Agenda
1. Introduction2. Privacy and Security Processes
• Incident Management• Consent Management • Client Privacy Rights Support• Audit Log Review • Privacy Review• User Account Management• EMPI
3. Communications 4. Awareness and Training 5. Next Steps and Reminders
3
Introduction
Purpose of Training
• Provide a thorough understanding of the privacy and security key processes that support IAR as mentioned in the Data Sharing Agreement
• Provide guidelines to implement these privacy and security processes in each HSP in compliance with privacy legislation
• Begin planning the integration of the IAR processes into your existing HSP processes
• Help you meet the IAR implementation milestones
4
5
The IAR is an application that allows assessment information to move with the client from one health service provider to another.
Health service providers (HSPs) can use the IAR to view timely client assessment information:
• electronically
• securely
• accurately
What is the Integrated Assessment Record (IAR)?
Long-Term Care Homes
Community Mental Health
Inpatient Mental Health
Others
Community Care Access Centres
Community Support Services
Addictions
6
Information Flow: Today
Your HSP
Collection
Use
Fax
Phone
Courier
Other HSPsClients
Your HSP’s privacy policy and processes
Governed and supported by:
Disclosure
7
Your HSP
CCAC
Governed and supported by:
LTCH
CMH
Disclosure
Information Flow: IAR
8
Your HSP
Collection
Use
Other HSPsClients
Disclosure
Fax
Phone
Courier
CCAC LTCH
Other CSS HSPsCMH
DisclosureDisclosure
Collection, Use and Disclosure of Assessments
9
What is Privacy?
Privacy is the right of an individual to control the collection, use and disclosure of his/her personal information.
10
Health Information Custodian
• “Health information custodian” means a person or organization (described in PHIPA) who has custody or control of Personal Health Information as a result of or in connection with performing the person’s or organization’s powers or duties or the work.
• The HSP who collects/uses/discloses the assessment is the Health Information Custodian (HIC) for the assessment – in its role as a HIC, the HSP has to fulfill their obligations as prescribed in PHIPA
Health Information Network Provider
PHIPA defines this legal term as “a person [or organization] who provides services to two or more health information custodians where the services are provided primarily to custodians to enable the custodians to use electronic means to disclose personal health information to one another, whether or not the person is an agent of any of the custodians.” O. Reg. 329/04, s. 6 (2).
11
12
Collection, Use and Disclosure
Privacy activities are described using three terms:
Collect: An HSP has ‘collected’ PHI when it has gathered, acquired, received or obtained information about a client by any means from any source.
Use: An HSP ‘uses’ PHI when it handles or deals with PHI that it has collected.
Disclose: An HSP discloses PHI when it makes information in its custody available to other HSPs or to other people outside of the HSP.
13
Ontario Health Information Privacy Legislation
PHIPA – Personal Health Information Protection Act• Ontario’s privacy in healthcare legislation introduced in 2004• PHIPA is informed by the 10 privacy principles set out in the
Canadian Standards Association Model Code for the Protection of Personal Information
• The Act regulates how patients’ (or clients’) Personal Health Information is collected, used, retained, transferred, disclosed, provided access to and disposed of.
• The Act applies to a variety of organizations and individuals within the health care sector, including but not limited to, health information custodians (e.g., hospitals and health care practitioners), agents to HIC (who can be either organizations or individuals, and who are authorized to act for or on a health information custodian’s behalf), health information network provider (HINP).
141414
IAR HINP and HIC
Privacy Obligations
1515
HINP Privacy and Security Obligations
• Designate a Health Information Network Provider (HINP) Privacy Officer
• Sign the Data Sharing Agreement (DSA)
• Coordinate consent/consent directive management
• Coordinate incident management
• Coordinate the support of client’s privacy rights
• Manage user accounts in IAR
• Review IAR logs
• Perform Threat and Risk Assessment (TRA) and Privacy Impact Assessment (PIA)
• Publish privacy practices, plain language description of IAR services, safeguards for IAR services, summary of PIA/TRA
1616
HIC/HSP Privacy and Security Obligations
• Designate a privacy contact person (HSP Privacy Officer)
• Sign the Data Sharing Agreement (DSA)
• Manage client’s consent and consent directive
• Manage privacy incidents
• Support client’s privacy rights
• Manage user accounts
• Review logs
• Manage client’s demographics in Enterprise Management Patient Index (EMPI)
• Other HSP’s general privacy obligations (i.e., publish privacy practices, data accuracy)
IAR Privacy and Security Implementation Framework
17
18
Communication ● Awareness and Training
IAR Privacy & Security Implementation Framework
Consent Management
DATA SHARING AGREEMENT (DSA)
Privacy Review
UserAccount
Management
EnterpriseMasterPatientIndex
ClientPrivacyRights
Support
AuditLog
Review
Privacy and Security Support
Incident Management
Privacy and Security Key Processes
19
Data Sharing Agreement
• Formal agreement between parties who agree to share data– Define the terms and conditions governing the data sharing– Establish the accountabilities and responsibilities with regards to
data sharing– Define the obligations and rights of each participant– Describe the PHI privacy and security requirements
• Instil trust among participants to enable the data sharing
• DSA Workshop available to explain the document in detail
• DSA is available on the CCIM website:https://www.ccim.on.ca/IAR/Private/Pages/Security%20and%20Privacy%20ToolKit.aspx
2020
Privacy and Security Process Implementation Steps
1. Analyze existing internal processes with the requirements presented and determine gaps
2. Design new process or process steps to address the gaps 3. Develop the required processes, process steps or supporting artifacts4. Implement the newly designed and developed process or steps (remember
to include training and communications to HSP staff)
STEP 1ANALYZE
STEP 2
DESIGNSTEP 3
DEVELOPSTEP 4
IMPLEMENT
2121
Incident Management
Integrated Incident Management
22
Incident Management
• What is Incident Management? The ability to provide end-to-end management of a series of events that are initiated in response to a privacy or security breach
• Integrated incident management process must be established to coordinate the incident response activities among all participating organizations, which includes:– Detection– Escalation, notification and reporting– Incident handling (containment, eradication, recovery)– Lessons learned
• The process will interface with each HSP’s incident management process and will focus on collaboration and cooperation activities
2323
Example of Incidents
• Printed patient assessment information is left in public area (e.g., coffee shop)
• Theft, loss, damage, unauthorized destruction or modification of patient records
• Inappropriate access to patient information by unauthorized users
• Out of the ordinary user activity as indicated during a regular log review
• User account and password was compromised
• Network infrastructure is attacked by hackers
• Violation of joint security and privacy policies or procedures
2424
Incident Management Assumptions
• Incident management processes exist at both health information custodian (HIC) and health information network provider (HINP) organizations
• Privacy Officer role exists at HICs and HINP
• Existing HIC level incident management process has identified incident contact person (e.g., Privacy Officer)
• Incidents can be reported through the incident contact person at the HICs
252525
Integrated Incident Management Approach
• Four phases in the integrated incident management process:– Detection– Escalation– Handling– Reporting
• The most responsible party activates internal processes to handle the incident
• The party that receives incident report escalates incident to the most responsible party
• The most responsible party updates the Incident Registry at HINP and notifies affected clients
2626
Privacy Breach Protocol
• Information & Privacy Commissioner (IPC) recommends that the HINP develop a privacy breach protocol
• The protocol enables the HINP and participating HSPs to respond quickly and in a coordinated way during a privacy breach
• Roles and responsibilities are defined
• Investigation and containment are effective and efficient
• Remediation is easy to implement
27
Incident Management Process Maps
• Incidents can be detected or reported from the following parties:
1.HIC
2.Client or third party of the HIC
3.HINP
4.Third parties (e.g., agents or service providers) of HINP
• Processes are developed based on the four parties defined above
2828
Scenario 1 — Incident Detected by HIC
HIC detected an incident, such as:
• Printed patient assessment records were lost
• User account and password were compromised
• Network at HIC was broken into by hackers (suspect IAR upload files have been accessed)
29
1.0 Incident Detected by HIC
*Shaded boxes indicate existing steps in HSPs
Integrated Incident Management Processes – 1.0
Mos
t R
espo
nsib
le
HIC
HIN
PH
ICC
lient
Incident Handling ReportingDetection Escalation
1.2Does incident involve
other HIC(s)?
1.1 Incident is detected by
the HIC
1.9Internal processes to document and handle
incident
1.10Client(s) receives
notification of breach from HIC(s)
1.3 Documents incident and sends Incident
Report to HINP
1.4 Creates incident in
Incident Registry and notifies the most responsible HIC
1.6Internal processes to document and handle
incident
1.7Sends incident
resolution to HINP
No
yes
1.8Creates/updates
incident resolution in Incident Registry
1.5 HIC initiates internal
incident handling process
Start
End
3030
Scenario 2 – Incident Reported by Client / Third Party
• A client / third party reports an incident to a participating HSP, such as:
“My ex-spouse working in your organization accessed my medical information and used it in our child custody case. Why can he / she access my medical record?”
• A third party (non-client) found printed assessment information on HSP letterhead left at local coffee shop
31
Integrated Incident Management Processes – 2.0M
ost
Res
pons
ible
H
ICH
INP
HIC
Clie
nt/3
rd P
arty
Incident HandlingEscalation ReportingDetection
2.4 Send incident report to
HINP
2.3Does incident
involves other HIC?
2.1Client or 3rd Party
reports incident to HIC
2.2 HIC reviews incident
report from client
2.10Internal processes to document and handle
incident
No
2.11Client(s) receives
notification of breach from HIC
2.6 HIC initiates internal
incident handling process
2.7Internal processes to document and handle
incident
2.8Send incident
resolution to HINP
Yes
2.9Creates/Updates
incident resolution in Incident Registry
2.5 Creates incident in
incident registry and notifies the most responsible HIC
Start
End
2.0 Incident Reported by Client / Third Party of HIC
*Shaded boxes indicate existing steps in HSPs.
3232
Scenario 3 — Incident Detected by HINP
• HINP detected an incident, such as:
– IAR backup data unaccounted for (lost or stolen)
– Potential misuse of access is identified
– Extraordinary user activity as indicated by regular review
– Data backup tape that contains server and system data is missing
33
3.0 Incident Detected by HINPIntegrated Incident Management Processes – 3.0
Mo
st r
esp
on
sib
le H
ICH
INP
Clie
nt
EscalationDetection
3.1 Incident is detected by
or reported to HINP
3.4 Internal processes to
handle Incident
Incident Handling Reporting
3.3Does incident involve
other HIC(s)?
No
3.5Updates incident
resolution in Incident Registry
3.8Internal processes to document and handle
incident
3.7HIC initiates internal
incident handling process
Yes
3.10Client(s) receives
notification of breach from HIC
3.9Sends incident
resolution to HINP
3.6 HINP notifies the most
responsible HIC
3.2 Creates Incident
Record in Incident Registry
Start
End
End
*Shaded boxes indicate existing steps in HSPs.
3434
Scenario 4 – Incident Reported by Third Party of HINP
• Third party may report an incident to HINP, such as:
– Record management service provider reports to HINP that one IAR data backup tape is missing during transit
• Data backup tape that contains server and system data is missing
35
4.0 Incident Reported by Third Party of HINPIntegrated Incident Management Processes – 4.0
3rd P
artie
sH
INP
Mos
t R
espo
nsib
le
HIC
Clie
ntDetection Escalation Incident Handling Reporting
4.13rd party reports incident to HINP
4.2HINP reviews the
incident report from 3rd party
4.4 Does incident involve other
HIC(s)?
4.8HIC initiates
internal incident handling process
4.9Internal processes to document and handle incident
4.5Internal processes to handle incident
4.6Update incident
resolution in Incident Registry
4.10Sends incident
resolution to HINP
4.7 HINP notifies the most responsible
HIC
Yes
No
4.11Client(s) receives
notification of breach from HIC
4.3 Creates incident in
incident registry
Start
End
End
*Shaded boxes indicate existing steps in HSPs.
Incident Management: Analyze
• Map and review existing (internal) incident handling and management process and supporting artifacts
– Incident handling process
– Client notification process
– Investigation, containment and recovery process
– Communication mechanism to client, staff and third parties (i.e., poster / brochure / website)
36
37
Incident Management: Design
• Review each integration point
– Detection
– Escalation
– Handling
– Reporting
• Make decision on each integration point
• Update the existing process
Integration Points and Questions
Detection How do staff, clients and third parties know who to contact if they uncover an incident?
What information is needed from the incident reporter?
What happens after the incident is reported to you or your team?
Escalation Who would communicate with HINP Privacy Officer if incident involves other HSPs?
How would you prepare incident report and information to assist incident escalation to other HSPs?
When the HINP escalates to your organization, do you or your team know what to do next?
How do you communicate this process to members of your incident handling team?
Handling Review existing incident handling process for investigation, containment and recovery
When and how do you involve the IT operations team (if needed)
Review procedure to notify client (if their PHI is breached)
Reporting Explore ways to review incident logs and gather lessons learned
38
39
Incident Management: Implement
• Internal approval of revised/new process(es)
• Provide training and awareness to all staff members in your organization (not just clinicians or IAR users)
• External communications (clients and third parties)
– Poster, brochure, corporate website, centralized e-mail box
40
Consent Management Consent Management
4141
Consent Management — Overview
• Enables client control over how their personal health information (PHI) is collected, used, disclosed and shared – Ensures compliance with PHIPA
• Consent Directive – A client’s instruction on how their Personal Health Information
can be collected, used and disclosed
• Consent Model– Informed consent– Implied and express consent– Scope of consent directive– Structure of consent form (if required)
• Consent Management Process
42
Informed Consent — Elements of Informed Consent
Clients should be informed about:
• What information about them is being collected, used and disclosed
• Why their information is being collected, use and disclosed (i.e., The purposes of the collection, use or disclosure, as the case may be (2004, c. 3, Sched. A, s. 18 (5).)
• How information is being collected, used and disclosed and with whom
• Individual’s right to give or withhold consent (2004, c. 3, Sched. A, s. 18 (5))
• The positive and negative consequences of giving, withholding or withdrawing consent
43
Implied and Express Consent Types
Implied Consent – refers to situations in which it is reasonable to infer that the client is consenting and it is not necessary to specifically (or expressly) ask for the client’s Consent.
Express Consent – refers to situations where Consent is given explicitly, either orally or in writing. Express Consent can be signed or checked off on a list.
The key is to ensure the consent obtained is valid.
44
Consent Form – Page 36 Implementation Guide
45
Sample Brochure
46
Sample Brochure
47
Sample Poster
48
Message ScriptThe collection, use, disclosure (share) of client’s assessment
We will/would like to complete the assessment with you to identify the support and service you need. The assessment will cover <<Description of Information that may be part of the assessment>>. We collect and use your personal health information during the assessment in order to provide you with services that suit your individual needs. We also use your information to coordinate service planning with other Health Service Providers in order to provide you with better service.
Sharing of client’s assessment
If you agree, your information may also be shared via an electronic sharing system with other agencies that provide services to you.
What your Consent means
Your information may only shared with other agencies with your Consent.
If you do not want to share your assessment information with other agencies, you can let me know today or inform our staff anytime in the future, and we will make sure the assessment will not be shared. We also use a centralized electronic system to share assessments among partner agencies. The electronic system stores all of your assessment from <<HSP name>> and other agencies. If you don’t want any of the assessment information shared in the electronic system, please contact the support centre, who will ensure that no one will be able to access your assessments. You should know that your consent directive will take effect in <<# number of business days>>.Optional: If you give us your consent, this may mean:
<<Positive and negative consequences for sharing the assessment>>. If you choose to withdraw your consent and not share your assessment, this may mean: <<Positive and negative consequences for not sharing the assessment>>.
Your privacy rights
You can request a copy of the assessment information in your file by contacting us. You also have the right to request a correction or amendment to your assessment information, or log a complaint if you feel that we have not addressed your privacy concern correctly.
More information or question?
If you would like to know more about how your personal health information is handled and shared with agencies, you can contact the privacy officer at the <<HSP name>>. They will help you understand what it means to share your assessment and will be able to answer your questions. Please contact our designated privacy contact at <<contact information>>.
Group Discussion• Discuss at your table what your current process is for
informed consent. – What methods do you use?
• Posters• Brochures• Face to face discussion
• What methods do we want to add or change in the future?
• What types of material would you develop to support the future method of informing?
• What do we currently tell our clients?• What will we tell our clients about IAR?
49
50
IAR Consent Model
IAR supports two levels of Consent Directive:
• HSP-level Consent Directive applied to the assessments collected by the individual HSP
• IAR-level Consent Directive applied to all assessments in IAR relating to a client
51
HSP-Level Consent Directive
• HSP will obtain consent/Consent Directive from the client and register the consent in the assessment tool– Consent Directive, along with the assessment, will be uploaded
to IAR– IAR will inherit the consent flag submitted along with the
individual assessment and automatically enforce the Consent Directive in IAR
• Alternatively, the HSP can login to the IAR consent interface to register the Consent Directive manually– Only the assessments from the HSP will be affected
HSPs need to determine whether their software can upload the consent flag, or if they will need to do this manually
5252
IAR-Level Consent Directive
• To register the IAR-level Consent Directive, the client can call the Consent Call Centre:
Regular Toll-free: 1-855-585-5279TTY Toll-Free: 1-855-973-4445
– Consent to share in the IAR means all of the client’s assessments across HSPs will be shared with participating HSPs that provide care to the client
– If consent is withheld in the IAR, all of the client’s assessments already in the IAR, and uploaded in the future, will be locked and participating HSPs will not be able to view them
• The more restrictive Consent Directive (either HSP-level or IAR-level) will be enforced
https://www.ccim.on.ca/IAR/Private/Document/IAR%20Education%20and%20Training/IAR_session_materials/IAR_Privacy_security_kickoff_and_Consent_mgt/consent_mgt/IAR%20Consent%20Call%20Centre%20Flyer.pdf
53
How Consent Works in IAR
HSP Level Consent Directive
Client
HSP-A
Assessment A1 Assessment A2
Yes Yes
HSP-B
Assessment B1 Assessment B2
No No
IAR
Assessment A1 Assessment A2
Yes Yes
Assessment B1 Assessment B2
No No
IAR Level Consent Directive - YES
IAR Level Consent Directive
Clinician
54
How Consent Works in IAR (Cont’d)
HSP Level Consent Directive
HSP-A
Assessment A1 Assessment A2
Yes Yes
HSP-B
Assessment B1 Assessment B2
No No
IAR
Assessment A1 Assessment A2
Yes Yes
Assessment B1 Assessment B2
No No
IAR Level Consent Directive - No
IAR Level Consent Directive
Clinician
IAR Consent Directive in Effect
55
HSP Assessment Consent Directive in Effect
56
Scenarios: Client Needs HSP Help
1. Client is not comfortable or not able to call the Consent Call Centre by himself / herself
2. Client does not have enough information to identify himself / herself
3. Client has a substitute decision maker (SDM) who wants to provide a Consent Directive on his / her behalf
57
Client Needs Help with Calling Consent Call Centre
• The clinician or case worker can help the client place the call to the Consent Call Centre
• If the client needs assistance navigating through the process during his / her encounter with the Consent Call Centre customer service representative (CSR), the clinician or case worker may help the client by repeating the message from the CSR or explaining what information is required
• Some basic identifying information about the clinician or case worker will be asked by the CSR to identify the client and link his / her Consent Directive to the correct assessments in IAR
• The client will still need to provide the consent to the Consent Call Centre himself / herself
58
Client Needs Help Identifying Self
• If the client does not have a Health Card Number, a fixed address or a telephone number, the client is required to place the call to the Consent Call Centre from an HSP
• The Consent Call Centre CSR will request the assistance of the clinician or case worker to help verify the identity of the client
• The client will provide the consent to the Consent Call Centre
• Some basic information about the clinician will be asked by the Consent Call Centre
59
SDM Needs Help Identifying Themselves
• If the client has a Substitute Decision Maker (SDM) providing the Consent Directive on their behalf, the SDM is required to place the call to the Consent Call Centre from an HSP — the Consent Call Centre CSR will request the assistance of the clinician or case worker to help verify the identity of the SDM
• The CSR will ask the clinician or case worker for information to validate the clinician or case worker as an authorized person from the HSP, including the clinician’s name, HSP name, HSP phone number, IAR user ID, etc.
• Once the identity of the SDM is verified through the clinician or case worker, the SDM will continue the encounter with the Consent Call Centre, and provide the client’s Consent Directive to the CSR
60
61
Integration Points
Consent Model
• Informing the client: What to say, how to say it
• Implied or express consent
• Scope of the Consent Directive
• Structure of Consent form
Consent Process
1. When to inform the client
2. When and how to obtain and update consent
3. How to record the consent directive in a central location, and who performs this activity
3. Register/Update Consent Directive
– How to register Consent Directives
– Who registers Consent Directives
4. Enforcing Consent Directive
– How to effectively enforce the Consent Directive
62
ClientPrivacyRights
Support
Client Privacy Rights Support
63
Client Privacy Rights Support Process
• Integrated client privacy support process (service desk) to fulfill Health Information Custodian’s (HIC) privacy obligation to: – Provide access to their Personal Health Information (PHI)
upon client’s request– Make correction to PHI upon client’s request– Handle client’s challenge concerning compliance with privacy
legislation
• The process will interface with each HSP’s existing process and will focus on collaboration and cooperation activities
6464
Approach
• If the request to access or change the assessment or the complaint relates solely to information in the custody or control of a single HIC, local processes are used
• If the request to access or change the assessment involves other HICs, the HIC identifies the other involved HICs for the client
• If the complaint involves more than one HIC, the HINP identifies the most responsible HIC to handle the response
65
Client Privacy Rights Support Assumptions
• Each HIC has in place policies and procedures to support client privacy rights
• HICs only release and correct information within their custody or control
• HINP will only participate or coordinate the privacy complaint management process
• IAR is a repository of information that originates from multiple HICs and is not considered the source of truth for that information
66
1.0 – Request a Copy of Assessment
*Shaded boxes indicate existing steps in HSPs.
Client Privacy Support Processes – 1.0H
ICC
lient
EscalationRequest for Assessment
1.1Requests copy of
assessment
1.2 Initiate process to
review request
1.4Initiate process to
handle and respondto the request
Handling Reporting
1.3Does it involvedata from other
HICs?
1.5Client receives
response
Yes
1.6Redirects client to appropriate HIC
1.7Client receives
redirection instructions
Start End
No
67
2.0 – Request a Correction to Assessment
*Shaded boxes indicate existing steps in HSPs.
Client Privacy Support Processes – 2.0H
ICC
lient
Yes
2.5Client receives
response
2.2 Initiate process to
review change request
No
Reporting
2.1Requests correction or
modification to Assessment
Handling
2.7Client receives
redirection instructions
2.3Does it involvedata from other
HICs?
2.4Initiate process to
handle and respondto the request
Client request HIC to modify / correct Assessment
Start
Escalation
2.6Redirect Client to appropriate HIC
End
68
3.0 – File a Complaint With the HIC
*Shaded boxes indicate existing steps in HSPs.
Client Privacy Support Processes – 3.0M
ost
R
esp
on
sib
le
HIC
HIN
PH
ICC
lien
tHandlingEscalationClient IAR related complaint Reporting
3.1 Client files IAR related
complaint with HIC
3.2 Initiates process to
receive request
Yes
3.5Notifies HINP of
complaint
3.3Involve other
HICs?
3.6Records complaint in
log
3.10Handles and responds
to complaint
3.4Internal process to
handle and respondto the request
3.14Client receives
response
3.12Updates Complaint
Log
No
3.9Initiates handling of
complaint
3.11Notifies HINP of end
result
3.8Sends instruction and documentation to most
responsible HIC
3.7Facilitates the
response among HICs
3.13Notifies original
receiver of complaint of the end result
Start End
End
69
Client Privacy Rights Support: Analyze
• Map and review existing Client Privacy Right Support process and supporting artifacts– Client Request Form– Patient Privacy Right Complaint Form– Patient Privacy Right Complaint Report
• Review each integration point– Determine if request to view / access / change involves other
HSPs– Standard re-direct letter / form template to respond to client– Keep Privacy Officer contact list handy for response to client– Determine if the filed complaint involves other HSPs– Establish a communication mechanism with the HINP for
escalation of privacy complaint• Make decision on each integration point on the next slide• Update the existing process
70
Client Privacy Rights Support: Design
71
Design Integration Points
• Client requests a copy of an assessment– How do you use IAR to determine if the request involves other
assessments from HSPs?– Redirect client to make request to other HSPs – make use of
the provided form template
• Client requests change to assessment– Use IAR to determine if request involves other HSPs– Review process of consulting with staff if changes can be
made or not– Use form template to respond to client
• Client files privacy complaint– Who reviews complaint and determines if other HSPs are
involved?– Review communication mechanism with HINP to escalate the
privacy complaint that involves other HSPs
Client Privacy Rights Support: Develop
• Review the samples provided • Determine if you will update your existing materials:
– Process maps
– Client Request form, if needed
– Client Request Response form, if needed
– Patient Privacy Right Complaint form, if needed
– Patient Privacy Right Complaint report, if needed
72
73
Client Privacy Rights Support: Implement
• Approve the process by senior management• Communicate the process with all staff• Provide training and awareness to your clinical staff or
health record personnel• Establish a communication mechanism with the HINP
(email or phone call)
74
UserAccount
ManagementUser Account Management
75
User Account Management
• User account management process must be established to ensure only authorized users with business need can access the IAR:
– Users within each organization can access IAR systems only for the purpose of providing health care
– User account request has to be reviewed and approved
– User account must be disabled immediately when user leaves the organization
767676
User Account Management: Approach
• User Account Management is centralized
• IAR Support Centre at CCIM acts as the single point of contact for all HSPs participating in IAR
• HINP is responsible for all user account administration activities (creation, update, change and removal)
• Each HSP is asked to identify and submit the name of its user authority and user coordinator to CCIM
77
HSP User Account Management Responsibilities
• Each participating organization has a designated person to authorize user access to IAR called a User Authority (UA)
– A UA should be someone in management or someone who has knowledge of who should use IAR
• Each participating organization has a designated contact person for day-to-day user account management activities called a User Coordinator (UC)
– A UC is responsible for liaising with the Support Centre for modification or update of user details, and removal of user account when user no longer requires access
7878
User Responsibilities
• Every IAR user has to be authorized by an HSP
• Every IAR user must read the IAR User Agreement before receiving a user account (HSP responsibility)
• Every IAR user has to read and accept the IAR User Agreement before access (on screen, upon login)
• User accounts are disabled immediately when users no longer require access
7979
User Account Management Process Maps
HSP can:
1. Request a new user account to access IAR
2. Request a change or update of user account information (e.g., phone number, location, email, etc.)
3. Request to remove one or multiple user accounts (e.g., user left organization, user no longer has IAR access)
Processes are developed based on these three scenarios
80
1.0 Creation of New Users
1.0 User Account Management – Creation of New UsersIA
R S
up
po
rt
Ce
ntr
eH
INP
HS
P
1.4 User Coordinator (UC) sends request to
create User Account
1.1 Manager completes User
Account Request form
1.2 User accepts IAR User
Agreement
1.3 User Authority (UA) authorizes User Account
request
1.10 New user logs in to IAR and changes password
1.5 Reviews User Account request and sends ticket
to HINP
1.9 UC informs user of new IAR username and
password
1.6 Validates UA authorization and
creates User Account in IAR
1.7 Updates ticket for Support Centre
1.8 Sends username and
password to HSP UC
Start
1.11 Updates and closes the ticket
End
81
2.0 Request to Change
2.0 User Account Management - Modification of user detailsH
INP
IAR
Sup
port
C
entr
eH
SP
2.7 Informs UC the change is
completed
2.4 Reviews user account change
request and sends ticket to HINP
2.5 Validate UC authorization and
modifies User Account in IAR
2.8 UC informs user change in user account is
completed
2.6 Update ticket for Support Centre
2.3 UC sends change request to
CCIM Support Desk
2.2 UC reviews and signs off on
account modification form
2.1 User or user’s manager requests
change of user information
Start
End
2.9 Updates and closes the ticket
82
3.0 Removal of Users3.0 User Account Management – Removal of User Accounts
HIN
PIA
R S
uppo
rt C
entre
HS
P
3.1 UC completes user account
removal form and sends to CCIM Support Desk
3.6 UC informs manager user
account is removed
3.5 Informs UC user account
removal is completed
3.4 Updates ticket for Support Centre
3.3 Validates UC authorization and
deletes User Account in IAR
3.2 Reviews user account removal
request and sends ticket to HINP
Start End
3.7 Updates and closes the ticket
83
User Account Management: Analyze
• Map and review existing User Account Management process– How are current IT user accounts being provisioned?– Are there any existing process you can leverage?– Who initiates user account creation/change/removal?– Who authorizes user account creation?– Who authorizes user account change or removal?
84
User Account Management: Design Integration Points
• Creating new user account after implementation (non-bulk)
• Changing user details, such as phone number, work locations, or name
• Remove user account when user no longer requires IAR access (e.g., due to change of job function or departure from the organization)
User Account Management: Develop
• Obtain decisions on each integration point – Who is to be the User Authority?– Who is to be the User Coordinator?– Do you need multiple UAs and/or UCs?
• Get your Executive Lead to appoint the UA and UC• Update the existing IT account provision process
(if needed)
85
86
User Account Management: Implement
• Approve the process by senior management• Communicate the process with all staff• Provide training and awareness to the User Authority
(UA) and User Coordinator (UC), and perhaps all IAR users
87
AuditLog
ReviewAudit Log Review
88
Audit Log Review
• PHIPA requires access to PHI be on a need-to-know basis
• Organizations must have controls in place that regulate access and also log activity and procedures to regularly review logs and user access activity
• Audit logs and reports play an important role in access review process and breach investigations. Log review process must be established to identify any privacy breach and security incident
• HIC: Organizational level privacy logs should be reviewed by Local Privacy Officer regularly, depending on the volume and perceived risk level, to detect unauthorized access to PHI
• HINP: Global privacy logs should be reviewed for investigation purpose only by HINP Privacy Officer (e.g., if an incident occurs and HINP needs to perform investigation) Security Event Log should be reviewed daily to once a week by HINP Administrator to detect error or security incidents
89
Audit Log Review Guidelines
• Audit log review is conducted at the HSP and HINP
– HSP Privacy Officer reviews local audit logs and reports for potential incidents
• HINP is involved if the log review at the HSP uncovers incident requiring HINP to assist in the investigation
• HINP Privacy Officer reviews audit logs for potential incidents that affect IAR and the HINP IT infrastructure
– HINP communicates to HSP if an incident is uncovered at the HINP that affects other HSPs (*This triggers Integrated Incident Management process)
90
Audit Log Review Guidelines
• Establish review schedule and routine
• Understand user activity baseline
• Look for out-of-ordinary activities and events:– Unauthorized access– Excessive client searches– Excessive assessment searches
• Investigations– User ID-based– Client/Patient ID-based
91
Operational Reports
• OP1 – List of IAR Users• OP2 – List of IAR Organizations
92
OP1 – List of IAR Users
93
OP2 — List of IAR Organizations
94
Privacy Reports• PS1 – IAR User Activity Report • PS2 – IAR Event Type Report • PS3 - IAR Consent Directives History Report• PS4 - IAR Current Consent Directive Report • PS5 – IAR User PHI Access Report• PS6 – IAR PHI Disclosure Report• PS7 – Assessment Disclosure Query
95
PS1 – User Activity Report
96
PS2 – Event Type Report
PS3 – IAR Consent Directives History Report
97
98
PS4 – IAR Current Consent Directive Report
99
PS5 – User PHI Access Report
100
PS6 – IAR PHI Disclosure Report
101
PS7 – Assessment Disclosure Report
102
Report Format
103
Report in CSV Format
CSV formatted files can be imported into Excel for further analysis and formatting
104
Privacy ReviewPrivacy Review
105
Privacy Operations Review
• Privacy review is defined in the Data Sharing Agreement
• All HSPs should conduct privacy and security self-assessment on a regular basis, which will assess the effectiveness and efficiency of the privacy operations to ensure continued compliance with the DSA
• The self-assessment should be conducted based on a checklist agreed by all HSPs, to ensure consistency and comparability of the result
• The results of the self-assessment shall be signed off by the HSP’s senior management and submitted to the Privacy and Security Committee for review
• Privacy and Security Sub-Committee reviews gaps and mitigation plans from HSPs
• HINP follows up on progress of mitigation plans from HSPs
106
Self-Assessment Checklists
Sections
1. General Governance and Operations
2. Consent Management
3. Audit Log Review
4. Client Privacy Right Support
5. Integrated Incident Management
6. User Account Management
107
Integration Points
• Identify who is accountable for signing off on the self-assessment report
• Identify who is responsible for performing the self-assessment and conducting the review
• Identify if there is a need to involve different individuals when conducting the different area or section of the review
108
109
Enterprise Master Patient Index (EMPI)
Enterprise MasterPatientIndex
110
EMPI Overview
• EMPI is an Enterprise Master Person Index that uniquely identifies a person across multiple sources (HSPs)
• EMPI creates a unique enterprise identifier (EID) for any single client
– EMPI establishes and maintains a mapping between the EID and the client’s identifier used inside each of the participating HSPs
• EMPI operations ensure the accuracy, completeness and “up-to-date-ness” of a client’s demographics to uniquely identify a person across multiple sources (HSPs)
• Define the processes to identify, escalate, resolve issues related to client’s demographic information
111
How Matching Is Done
• The EMPI compares demographic data from each assessment and creates matches based on an algorithm and established thresholds
• Demographic information used includes:– First Name
– Last Name
– Date of Birth
– Gender
– Telephone Number
– Address
– Health Card Number
• Better matches are reached when using a Health Card Number
112
Health Records Lead Role
• Designated by the Executive Lead
• Helps resolve EMPI data element issues:
– Potential linkage
– Potential duplicate
– Potential overlay
• Interacts with the EMPI Data Steward (EDS) at Consolidated Health Information Services (CHIS) – the EMPI HINP
• Liaises with clinicians, health record personnel, and/or Privacy Officer and facilitates resolution to data element issues
113
Typical EMPI Questions
• Potential Linkage – record for the same person from a different source
• Potential Duplicate – duplicate record for same person in same source
• Potential Overlay – same record with different person (NOTE: no records can be viewed from IAR until an overlay issue is
resolved)
114
EMPI Process Summary
• EMPI Data Steward notifies HSP of data quality issues or errors identified from EMPI regarding client demographic information
• HSPs evaluate, investigate and resolve the identified data quality issues or data errors
• HSPs resubmit assessments if issues are identified and corrected
• EMPI Data Steward and CCIM Support to work with HSPs to resolve major demographic data quality issues or data errors
Communication, Awareness and Training, and Next Steps
116
Communication
• HSPs need to raise key stakeholders’ awareness and support of the privacy and security of IAR
• HSPs need to obtain the support for the privacy and security implementation
• HSPs need to ensure timely, consistent, clear and coordinated messages
• CCIM will support the HSPs in their communication activities through the development of tools and materials
117
Awareness and Training
• HSPs need to raise the staff’s awareness of the privacy and security of IAR
• HSPs need to provide training on the privacy processes to the staff who participate in the privacy management activities, such as consent management, breach management, etc.
• CCIM will support HSPs in their awareness and training activities through the development of training tools and materials
– https://www.ccim.on.ca/Pages/sp_elearning.aspx
Next Steps
• Review and implement privacy and security processes to support IAR
• Complete the required forms and send to CCIM
• Attend the DSA Workshop if you have not already, get the DSA signed, and send it to CCIM
• Check out the Common Privacy Framework
https://www.ccim.on.ca/IAR/Private/Document/IAR%20Privacy%20and%20Security/Common%20Privacy%20Framework/Consent_Management_Implementation_guide_v1.1_20110602_CPF.pdf
118
119
Support Centre
Monday to Friday
1.866.909.5600 option 88:30 am ― 4:30 pm
Thank You!
120